Mortgage cos. accused of consumer privacy violations

The Federal Trade Commission has charged two mortgage companies with violating the agency's Gramm-Leach-Bliley (GLB) Safeguards Rule by not having reasonable protections for customers' sensitive personal and financial information.

The FTC filed an administrative action against Nationwide Mortgage Group Inc. (Nationwide) and its president John D. Eubank, alleging that the Fairfax, Va.-based mortgage broker failed to implement safeguards to protect its customers' names, social security numbers, credit histories, bank account numbers, income tax returns, and other sensitive financial information.

Sunbelt Lending Services Inc. (Sunbelt), a subsidiary of Cendant Mortgage Corp. with headquarters in Clearwater, Fla., has agreed to settle similar FTC charges. The settlement with Sunbelt will bar future violations of the Safeguards Rule and require biannual audits of Sunbelt's information security program by a qualified, independent professional for 10 years. These are the FTC's first cases enforcing the Safeguards Rule.

The Safeguards Rule, which implements the security requirements of the GLB Act, requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. The Rule requires financial institutions to implement a written information security program that is appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its program, each financial institution must also: (1) assign one or more employees to oversee the program; (2) conduct a risk assessment; (3) put safeguards in place to control the risks identified in the assessment and regularly test and monitor them; (4) require service providers, by written contract, to protect customers' personal information; and (5) periodically update its security program.

The FTC targeted Nationwide and Sunbelt as part of a nationwide sweep of automobile dealers and mortgage companies to assess compliance with the Rule. Although the sweep showed compliance by many of the companies targeted, it also showed significant failures to comply by Nationwide and Sunbelt.

According to the FTC's complaints, both companies allegedly failed to comply with the Rule's basic requirements, including that they assess the risks to sensitive customer information and implement safeguards to control these risks. In addition, Nationwide allegedly failed to train its employees on information security issues; oversee its loan officers' handling of customer information; and monitor its computer network for vulnerabilities. Sunbelt also allegedly failed to oversee the security practices of its service providers and of its loan officers working from remote locations throughout the state of Florida.

Finally, the complaint alleges that both companies violated the GLB Privacy Rule, which requires financial institutions to provide consumers with privacy notices describing how they use and disclose consumers' personal information. According to the complaints, Nationwide allegedly did not provide the privacy notices to its customers, and Sunbelt allegedly did not provide the notices to its online customers.

In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months and every other year thereafter for 10 years. The order also contains standard recordkeeping provisions to allow the FTC to monitor Sunbelt's compliance.